diff --git a/CMakeLists.txt b/CMakeLists.txt index 4e7b40d35c..b4e27619bf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1123,6 +1123,8 @@ if(BUILD_TESTING) add_custom_target( acvp_tests + COMMAND ${CMAKE_COMMAND} -E echo + COMMAND ${CMAKE_COMMAND} -E echo "Running ACVP tests" COMMAND ${GO_EXECUTABLE} run check_expected.go -tool ${ACVP_TOOL} -module-wrappers modulewrapper:$,testmodulewrapper:${TEST_WRAPPER} @@ -1164,6 +1166,7 @@ if(BUILD_TESTING) if(BUILD_LIBSSL) add_custom_target( run_ssl_runner_tests + COMMAND ${CMAKE_COMMAND} -E echo "Running SSL tests" COMMAND cd ssl/test/runner && ${GO_EXECUTABLE} test -timeout ${GO_TEST_TIMEOUT} -shim-path $ ${HANDSHAKER_ARGS} ${RUNNER_ARGS} ${AWS_LC_SSL_RUNNER_INDEX_FILTER} ${SSL_TRANSFER_ARGS} @@ -1173,6 +1176,7 @@ if(BUILD_TESTING) add_custom_target( run_ssl_runner_tests_valgrind + COMMAND ${CMAKE_COMMAND} -E echo "Running SSL tests" COMMAND cd ssl/test/runner && ${GO_EXECUTABLE} test -timeout ${GO_TEST_TIMEOUT} -shim-path $ -valgrind ${HANDSHAKER_ARGS} ${RUNNER_ARGS} ${AWS_LC_SSL_RUNNER_INDEX_FILTER} ${SSL_TRANSFER_ARGS} @@ -1182,7 +1186,11 @@ if(BUILD_TESTING) add_custom_target( run_tests + COMMAND ${CMAKE_COMMAND} -E echo + COMMAND ${CMAKE_COMMAND} -E echo "Running Go tests" COMMAND ${GO_EXECUTABLE} test ${GO_TESTS} + COMMAND ${CMAKE_COMMAND} -E echo + COMMAND ${CMAKE_COMMAND} -E echo "Running unit tests" COMMAND ${GO_EXECUTABLE} run util/all_tests.go -build-dir ${PROJECT_BINARY_DIR} WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} @@ -1191,7 +1199,10 @@ if(BUILD_TESTING) else() add_custom_target( run_tests + COMMAND ${CMAKE_COMMAND} -E echo "Running Go tests" COMMAND ${GO_EXECUTABLE} test ${GO_TESTS} + COMMAND ${CMAKE_COMMAND} -E echo + COMMAND ${CMAKE_COMMAND} -E echo "Running unit tests" COMMAND ${GO_EXECUTABLE} run util/all_tests.go -build-dir ${PROJECT_BINARY_DIR} -ssl-tests=false WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 41d56b4710..a503186815 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -607,7 +607,6 @@ function(build_libcrypto name module_source) if(FIPS_DELOCATE OR FIPS_SHARED) add_dependencies(${name} bcm_o_target) endif() - SET_TARGET_PROPERTIES(${name} PROPERTIES LINKER_LANGUAGE C) if(WIN32) target_link_libraries(${name} PUBLIC ws2_32) endif() diff --git a/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c b/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c index 95340d1d32..71323427e3 100644 --- a/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c +++ b/crypto/cipher_extra/e_aes_cbc_hmac_sha1.c @@ -372,7 +372,6 @@ static const EVP_CIPHER aesni_128_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE /* iv len */, sizeof(EVP_AES_HMAC_SHA1) /* ctx_size */, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER /* flags */, - NULL /* app_data */, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL /* cleanup */, @@ -385,7 +384,6 @@ static const EVP_CIPHER aesni_256_cbc_hmac_sha1_cipher = { AES_BLOCK_SIZE /* iv len */, sizeof(EVP_AES_HMAC_SHA1) /* ctx_size */, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER /* flags */, - NULL /* app_data */, aesni_cbc_hmac_sha1_init_key, aesni_cbc_hmac_sha1_cipher, NULL, diff --git a/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c b/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c index 2557637a2b..ca5c9cfad3 100644 --- a/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c +++ b/crypto/cipher_extra/e_aes_cbc_hmac_sha256.c @@ -368,7 +368,6 @@ static const EVP_CIPHER aesni_128_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE /* iv len */, sizeof(EVP_AES_HMAC_SHA256) /* ctx_size */, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER /* flags */, - NULL /* app_data */, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL /* cleanup */, @@ -381,7 +380,6 @@ static const EVP_CIPHER aesni_256_cbc_hmac_sha256_cipher = { AES_BLOCK_SIZE /* iv len */, sizeof(EVP_AES_HMAC_SHA256) /* ctx_size */, EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_AEAD_CIPHER /* flags */, - NULL /* app_data */, aesni_cbc_hmac_sha256_init_key, aesni_cbc_hmac_sha256_cipher, NULL /* cleanup */, diff --git a/crypto/cipher_extra/e_chacha20poly1305.c b/crypto/cipher_extra/e_chacha20poly1305.c index 4f79d8ca8c..94c47a0b7e 100644 --- a/crypto/cipher_extra/e_chacha20poly1305.c +++ b/crypto/cipher_extra/e_chacha20poly1305.c @@ -727,7 +727,6 @@ static EVP_CIPHER cipher_chacha20_poly1305 = { sizeof(CIPHER_CHACHA_POLY_CTX), EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER, - NULL, // app_data cipher_chacha20_poly1305_init, cipher_chacha20_poly1305_do_cipher, cipher_chacha20_poly1305_cleanup, diff --git a/crypto/cipher_extra/e_des.c b/crypto/cipher_extra/e_des.c index a4a876e028..baf0be0b8e 100644 --- a/crypto/cipher_extra/e_des.c +++ b/crypto/cipher_extra/e_des.c @@ -91,7 +91,6 @@ static const EVP_CIPHER evp_des_cbc = { /* iv_len = */ 8, /* ctx_size = */ sizeof(EVP_DES_KEY), /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, /* init = */ des_init_key, /* cipher = */ des_cbc_cipher, /* cleanup = */ NULL, @@ -121,7 +120,6 @@ static const EVP_CIPHER evp_des_ecb = { /* iv_len = */ 0, /* ctx_size = */ sizeof(EVP_DES_KEY), /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, /* init = */ des_init_key, /* cipher = */ des_ecb_cipher, /* cleanup = */ NULL, @@ -161,7 +159,6 @@ static const EVP_CIPHER evp_des_ede3_cbc = { /* iv_len = */ 8, /* ctx_size = */ sizeof(DES_EDE_KEY), /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, /* init = */ des_ede3_init_key, /* cipher = */ des_ede3_cbc_cipher, /* cleanup = */ NULL, @@ -187,7 +184,6 @@ static const EVP_CIPHER evp_des_ede_cbc = { /* iv_len = */ 8, /* ctx_size = */ sizeof(DES_EDE_KEY), /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, /* init = */ des_ede_init_key, /* cipher = */ des_ede3_cbc_cipher, /* cleanup = */ NULL, @@ -218,7 +214,6 @@ static const EVP_CIPHER evp_des_ede = { /* iv_len = */ 0, /* ctx_size = */ sizeof(DES_EDE_KEY), /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, /* init = */ des_ede_init_key, /* cipher = */ des_ede_ecb_cipher, /* cleanup = */ NULL, @@ -234,7 +229,6 @@ static const EVP_CIPHER evp_des_ede3 = { /* iv_len = */ 0, /* ctx_size = */ sizeof(DES_EDE_KEY), /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, /* init = */ des_ede3_init_key, /* cipher = */ des_ede_ecb_cipher, /* cleanup = */ NULL, diff --git a/crypto/cipher_extra/e_null.c b/crypto/cipher_extra/e_null.c index e9ee8adc79..10a5c269e2 100644 --- a/crypto/cipher_extra/e_null.c +++ b/crypto/cipher_extra/e_null.c @@ -78,9 +78,9 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } static const EVP_CIPHER n_cipher = { - NID_undef, 1 /* block size */, 0 /* key_len */, 0 /* iv_len */, - 0 /* ctx_size */, 0 /* flags */, NULL /* app_data */, null_init_key, - null_cipher, NULL /* cleanup */, NULL /* ctrl */, + NID_undef, 1 /* block size */, 0 /* key_len */, 0 /* iv_len */, + 0 /* ctx_size */, 0 /* flags */, null_init_key, null_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; const EVP_CIPHER *EVP_enc_null(void) { return &n_cipher; } diff --git a/crypto/cipher_extra/e_rc2.c b/crypto/cipher_extra/e_rc2.c index ffc5e6b1d9..acc99ad8c1 100644 --- a/crypto/cipher_extra/e_rc2.c +++ b/crypto/cipher_extra/e_rc2.c @@ -433,7 +433,6 @@ static const EVP_CIPHER rc2_40_cbc = { 8 /* iv len */, sizeof(EVP_RC2_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - NULL /* app_data */, rc2_init_key, rc2_cbc_cipher, NULL, @@ -451,7 +450,6 @@ static const EVP_CIPHER rc2_cbc = { 8 /* iv len */, sizeof(EVP_RC2_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - NULL /* app_data */, rc2_init_key, rc2_cbc_cipher, NULL, diff --git a/crypto/cipher_extra/e_rc4.c b/crypto/cipher_extra/e_rc4.c index 2f4f9bbac3..e252ad8dcb 100644 --- a/crypto/cipher_extra/e_rc4.c +++ b/crypto/cipher_extra/e_rc4.c @@ -81,9 +81,10 @@ static int rc4_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } static const EVP_CIPHER rc4 = { - NID_rc4, 1 /* block_size */, 16 /* key_size */, - 0 /* iv_len */, sizeof(RC4_KEY), EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, rc4_init_key, rc4_cipher, - NULL /* cleanup */, NULL /* ctrl */, }; + NID_rc4, 1 /* block_size */, 16 /* key_size */, + 0 /* iv_len */, sizeof(RC4_KEY), EVP_CIPH_VARIABLE_LENGTH, + rc4_init_key, rc4_cipher, NULL /* cleanup */, + NULL /* ctrl */, +}; const EVP_CIPHER *EVP_rc4(void) { return &rc4; } diff --git a/crypto/decrepit/blowfish/blowfish.c b/crypto/decrepit/blowfish/blowfish.c index e0f50a1e26..4e5a00d533 100644 --- a/crypto/decrepit/blowfish/blowfish.c +++ b/crypto/decrepit/blowfish/blowfish.c @@ -594,30 +594,27 @@ static int bf_cfb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } static const EVP_CIPHER bf_ecb = { - NID_bf_ecb, BF_BLOCK /* block_size */, - 16 /* key_size */, BF_BLOCK /* iv_len */, - sizeof(BF_KEY), EVP_CIPH_ECB_MODE | EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, bf_init_key, - bf_ecb_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_bf_ecb, BF_BLOCK /* block_size */, + 16 /* key_size */, BF_BLOCK /* iv_len */, + sizeof(BF_KEY), EVP_CIPH_ECB_MODE | EVP_CIPH_VARIABLE_LENGTH, + bf_init_key, bf_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER bf_cbc = { - NID_bf_cbc, BF_BLOCK /* block_size */, - 16 /* key_size */, BF_BLOCK /* iv_len */, - sizeof(BF_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, bf_init_key, - bf_cbc_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_bf_cbc, BF_BLOCK /* block_size */, + 16 /* key_size */, BF_BLOCK /* iv_len */, + sizeof(BF_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH, + bf_init_key, bf_cbc_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER bf_cfb = { - NID_bf_cfb64, 1 /* block_size */, - 16 /* key_size */, BF_BLOCK /* iv_len */, - sizeof(BF_KEY), EVP_CIPH_CFB_MODE | EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, bf_init_key, - bf_cfb_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_bf_cfb64, 1 /* block_size */, + 16 /* key_size */, BF_BLOCK /* iv_len */, + sizeof(BF_KEY), EVP_CIPH_CFB_MODE | EVP_CIPH_VARIABLE_LENGTH, + bf_init_key, bf_cfb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; const EVP_CIPHER *EVP_bf_ecb(void) { return &bf_ecb; } diff --git a/crypto/decrepit/cast/cast.c b/crypto/decrepit/cast/cast.c index bc7723a1ce..012283ae27 100644 --- a/crypto/decrepit/cast/cast.c +++ b/crypto/decrepit/cast/cast.c @@ -384,21 +384,19 @@ static int cast_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } static const EVP_CIPHER cast5_ecb = { - NID_cast5_ecb, CAST_BLOCK, - CAST_KEY_LENGTH, CAST_BLOCK /* iv_len */, - sizeof(CAST_KEY), EVP_CIPH_ECB_MODE | EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, cast_init_key, - cast_ecb_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_cast5_ecb, CAST_BLOCK, + CAST_KEY_LENGTH, CAST_BLOCK /* iv_len */, + sizeof(CAST_KEY), EVP_CIPH_ECB_MODE | EVP_CIPH_VARIABLE_LENGTH, + cast_init_key, cast_ecb_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; static const EVP_CIPHER cast5_cbc = { - NID_cast5_cbc, CAST_BLOCK, - CAST_KEY_LENGTH, CAST_BLOCK /* iv_len */, - sizeof(CAST_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, cast_init_key, - cast_cbc_cipher, NULL /* cleanup */, - NULL /* ctrl */, + NID_cast5_cbc, CAST_BLOCK, + CAST_KEY_LENGTH, CAST_BLOCK /* iv_len */, + sizeof(CAST_KEY), EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH, + cast_init_key, cast_cbc_cipher, + NULL /* cleanup */, NULL /* ctrl */, }; const EVP_CIPHER *EVP_cast5_ecb(void) { return &cast5_ecb; } diff --git a/crypto/decrepit/cfb/cfb.c b/crypto/decrepit/cfb/cfb.c index ab70bf2ad4..a55a497daa 100644 --- a/crypto/decrepit/cfb/cfb.c +++ b/crypto/decrepit/cfb/cfb.c @@ -105,66 +105,66 @@ static int aes_cfb128_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } static const EVP_CIPHER aes_128_cfb1 = { - NID_aes_128_cfb1, 1 /* block_size */, 16 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb1_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_128_cfb1, 1 /* block_size */, 16 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_128_cfb8 = { - NID_aes_128_cfb8, 1 /* block_size */, 16 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb8_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_128_cfb8, 1 /* block_size */, 16 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_128_cfb128 = { - NID_aes_128_cfb128, 1 /* block_size */, 16 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb128_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_128_cfb128, 1 /* block_size */, 16 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb128_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_192_cfb1 = { - NID_aes_192_cfb1, 1 /* block_size */, 24 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb1_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_192_cfb1, 1 /* block_size */, 24 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_192_cfb8 = { - NID_aes_192_cfb8, 1 /* block_size */, 24 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb8_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_192_cfb8, 1 /* block_size */, 24 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_192_cfb128 = { - NID_aes_192_cfb128, 1 /* block_size */, 24 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb128_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_192_cfb128, 1 /* block_size */, 24 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb128_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_256_cfb1 = { - NID_aes_256_cfb1, 1 /* block_size */, 32 /* key_size */, - 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb1_cipher, - NULL /* cleanup */, NULL /* ctrl */, + NID_aes_256_cfb1, 1 /* block_size */, 32 /* key_size */, + 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, + aes_cfb_init_key, aes_cfb1_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_256_cfb8 = { NID_aes_256_cfb8, 1 /* block_size */, 32 /* key_size */, 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb8_cipher, - NULL /* cleanup */, NULL /* ctrl */, + aes_cfb_init_key, aes_cfb8_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; static const EVP_CIPHER aes_256_cfb128 = { NID_aes_256_cfb128, 1 /* block_size */, 32 /* key_size */, 16 /* iv_len */, sizeof(EVP_CFB_CTX), EVP_CIPH_CFB_MODE, - NULL /* app_data */, aes_cfb_init_key, aes_cfb128_cipher, - NULL /* cleanup */, NULL /* ctrl */, + aes_cfb_init_key, aes_cfb128_cipher, NULL /* cleanup */, + NULL /* ctrl */, }; const EVP_CIPHER *EVP_aes_128_cfb1(void) { return &aes_128_cfb1; } diff --git a/crypto/digest_extra/digest_extra.c b/crypto/digest_extra/digest_extra.c index 4e2384a92b..28254f9c9e 100644 --- a/crypto/digest_extra/digest_extra.c +++ b/crypto/digest_extra/digest_extra.c @@ -230,6 +230,7 @@ int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) { return 0; } + // TODO(crbug.com/boringssl/710): Is this correct? See RFC 4055, section 2.1. if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || !CBB_flush(cbb)) { return 0; diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c index ae0568d66c..3b5b2d20df 100644 --- a/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c +++ b/crypto/dilithium/pqcrystals_dilithium_ref_common/sign.c @@ -31,7 +31,8 @@ int crypto_sign_keypair_internal(ml_dsa_params *params, uint8_t tr[TRBYTES]; const uint8_t *rho, *rhoprime, *key; polyvecl mat[DILITHIUM_K_MAX]; - polyvecl s1, s1hat; + polyvecl s1 = {{{{0}}}}; + polyvecl s1hat; polyveck s2, t1, t0; OPENSSL_memcpy(seedbuf, seed, SEEDBYTES); diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c index 24063ae8ac..16db9b32a9 100644 --- a/crypto/dsa/dsa.c +++ b/crypto/dsa/dsa.c @@ -304,6 +304,8 @@ int dsa_internal_paramgen(DSA *dsa, size_t bits, const EVP_MD *evpmd, if (!RAND_bytes(seed, qsize)) { goto err; } + // DSA parameters are public. + CONSTTIME_DECLASSIFY(seed, qsize); } else { // If we come back through, use random seed next time. seed_in = NULL; @@ -544,6 +546,9 @@ int DSA_generate_key(DSA *dsa) { goto err; } + // The public key is computed from the private key, but is public. + bn_declassify(pub_key); + dsa->priv_key = priv_key; dsa->pub_key = pub_key; ok = 1; @@ -680,6 +685,10 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { goto err; } + // The signature is computed from the private key, but is public. + bn_declassify(r); + bn_declassify(s); + // Redo if r or s is zero as required by FIPS 186-3: this is // very unlikely. if (BN_is_zero(r) || BN_is_zero(s)) { @@ -712,7 +721,7 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { return ret; } -int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig, +int DSA_do_verify(const uint8_t *digest, size_t digest_len, const DSA_SIG *sig, const DSA *dsa) { int valid; if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) { @@ -722,7 +731,8 @@ int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig, } int DSA_do_check_signature(int *out_valid, const uint8_t *digest, - size_t digest_len, DSA_SIG *sig, const DSA *dsa) { + size_t digest_len, const DSA_SIG *sig, + const DSA *dsa) { *out_valid = 0; if (!dsa_check_key(dsa)) { return 0; @@ -930,15 +940,19 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv, ctx) || // Compute r = (g^k mod p) mod q !BN_mod_exp_mont_consttime(r, dsa->g, &k, dsa->p, ctx, - dsa->method_mont_p) || - // Note |BN_mod| below is not constant-time and may leak information about - // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not - // easily performed in constant-time with Montgomery reduction. - // - // However, |r| at this point is g^k (mod p). It is almost the value of - // |r| revealed in the signature anyway (g^k (mod p) (mod q)), going from - // it to |k| would require computing a discrete log. - !BN_mod(r, r, dsa->q, ctx) || + dsa->method_mont_p)) { + OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB); + goto err; + } + // Note |BN_mod| below is not constant-time and may leak information about + // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not + // easily performed in constant-time with Montgomery reduction. + // + // However, |r| at this point is g^k (mod p). It is almost the value of |r| + // revealed in the signature anyway (g^k (mod p) (mod q)), going from it to + // |k| would require computing a discrete log. + bn_declassify(r); + if (!BN_mod(r, r, dsa->q, ctx) || // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little // Theorem. !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) { diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index 1985bb4f6f..0e9dd56c2d 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -63,6 +63,7 @@ #include "internal.h" #include "../bytestring/internal.h" +#include "../crypto/internal.h" #define OPENSSL_DSA_MAX_MODULUS_BITS 10000 @@ -119,8 +120,9 @@ int dsa_check_key(const DSA *dsa) { if (dsa->priv_key != NULL) { // The private key is a non-zero element of the scalar field, determined by // |q|. - if (BN_is_negative(dsa->priv_key) || BN_is_zero(dsa->priv_key) || - BN_cmp(dsa->priv_key, dsa->q) >= 0) { + if (BN_is_negative(dsa->priv_key) || + constant_time_declassify_int(BN_is_zero(dsa->priv_key)) || + constant_time_declassify_int(BN_cmp(dsa->priv_key, dsa->q) >= 0)) { OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS); return 0; } diff --git a/crypto/evp_extra/evp_extra_test.cc b/crypto/evp_extra/evp_extra_test.cc index 1ddf4698f9..6d85556c3d 100644 --- a/crypto/evp_extra/evp_extra_test.cc +++ b/crypto/evp_extra/evp_extra_test.cc @@ -3352,3 +3352,12 @@ TEST(EVPExtraTest, DSADigestSignVerify) { ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), sig.data(), sig.size(), (const uint8_t*)data, data_len)); } } + +TEST(EVPExtraTest, RawKeyUnsupported) { + static const uint8_t kKey[] = {1, 2, 3, 4}; + EXPECT_FALSE( + EVP_PKEY_new_raw_public_key(EVP_PKEY_RSA, nullptr, kKey, sizeof(kKey))); + EXPECT_FALSE( + EVP_PKEY_new_raw_private_key(EVP_PKEY_RSA, nullptr, kKey, sizeof(kKey))); +} + diff --git a/crypto/fipsmodule/bn/gcd_extra.c b/crypto/fipsmodule/bn/gcd_extra.c index b4fe00e3e4..76f337cbca 100644 --- a/crypto/fipsmodule/bn/gcd_extra.c +++ b/crypto/fipsmodule/bn/gcd_extra.c @@ -314,7 +314,10 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a, } assert(BN_is_zero(v)); - if (!BN_is_one(u)) { + // While the inputs and output are secret, this function considers whether the + // input was invertible to be public. It is used as part of RSA key + // generation, where inputs are chosen to already be invertible. + if (constant_time_declassify_int(!BN_is_one(u))) { *out_no_inverse = 1; OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE); goto err; diff --git a/crypto/fipsmodule/bn/prime.c b/crypto/fipsmodule/bn/prime.c index 99839e4414..b31456470b 100644 --- a/crypto/fipsmodule/bn/prime.c +++ b/crypto/fipsmodule/bn/prime.c @@ -502,7 +502,10 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, static int bn_trial_division(uint16_t *out, const BIGNUM *bn) { const size_t num_primes = num_trial_division_primes(bn); for (size_t i = 1; i < num_primes; i++) { - if (bn_mod_u16_consttime(bn, kPrimes[i]) == 0) { + // During RSA key generation, |bn| may be secret, but only if |bn| was + // prime, so it is safe to leak failed trial divisions. + if (constant_time_declassify_int(bn_mod_u16_consttime(bn, kPrimes[i]) == + 0)) { *out = kPrimes[i]; return 1; } @@ -588,7 +591,8 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // To avoid leaking |a|, we run the loop to |w_bits| and mask off all // iterations once |j| = |a|. for (int j = 1; j < miller_rabin->w_bits; j++) { - if (constant_time_eq_int(j, miller_rabin->a) & ~is_possibly_prime) { + if (constant_time_declassify_w(constant_time_eq_int(j, miller_rabin->a) & + ~is_possibly_prime)) { // If the loop is done and we haven't seen z = 1 or z = w-1 yet, the // value is composite and we can break in variable time. break; @@ -608,12 +612,14 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z // was not -1. There are no non-trivial square roots of 1 modulo a prime, so // w is composite and we may exit in variable time. - if (BN_equal_consttime(z, miller_rabin->one_mont) & ~is_possibly_prime) { + if (constant_time_declassify_w( + BN_equal_consttime(z, miller_rabin->one_mont) & + ~is_possibly_prime)) { break; } } - *out_is_possibly_prime = is_possibly_prime & 1; + *out_is_possibly_prime = constant_time_declassify_w(is_possibly_prime) & 1; ret = 1; err: @@ -751,8 +757,9 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, crypto_word_t uniform_iterations = 0; // Using |constant_time_lt_w| seems to prevent the compiler from optimizing // this into two jumps. - for (int i = 1; (i <= BN_PRIME_CHECKS_BLINDED) | - constant_time_lt_w(uniform_iterations, checks); + for (int i = 1; constant_time_declassify_w( + (i <= BN_PRIME_CHECKS_BLINDED) | + constant_time_lt_w(uniform_iterations, checks)); i++) { // Step 4.1-4.2 int is_uniform; diff --git a/crypto/fipsmodule/cipher/internal.h b/crypto/fipsmodule/cipher/internal.h index e37102eb80..a2170f0691 100644 --- a/crypto/fipsmodule/cipher/internal.h +++ b/crypto/fipsmodule/cipher/internal.h @@ -175,9 +175,6 @@ struct evp_cipher_st { // flags contains the OR of a number of flags. See |EVP_CIPH_*|. uint32_t flags; - // app_data is a pointer to opaque, user data. - void *app_data; - int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc); diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c index c98620f62f..ccc3221029 100644 --- a/crypto/fipsmodule/ec/ec_key.c +++ b/crypto/fipsmodule/ec/ec_key.c @@ -238,7 +238,10 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) { return 0; } if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key) || - ec_scalar_is_zero(key->group, &scalar->scalar)) { + // Zero is not a valid private key, so it is safe to leak the result of + // this comparison. + constant_time_declassify_int( + ec_scalar_is_zero(key->group, &scalar->scalar))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY); ec_wrapped_scalar_free(scalar); return 0; diff --git a/crypto/fipsmodule/ec/scalar.c b/crypto/fipsmodule/ec/scalar.c index a86ee0fbbc..b05d50845d 100644 --- a/crypto/fipsmodule/ec/scalar.c +++ b/crypto/fipsmodule/ec/scalar.c @@ -23,8 +23,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in) { + // Scalars, which are often secret, must be reduced modulo the order. Those + // that are not will be discarded, so leaking the result of the comparison is + // safe. if (!bn_copy_words(out->words, group->order.N.width, in) || - !bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { + !constant_time_declassify_int(bn_less_than_words( + out->words, group->order.N.d, group->order.N.width))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; } diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 7bfc79ea91..496cb3b681 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -264,11 +264,9 @@ void evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method) { } int EVP_PKEY_type(int nid) { - const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(nid); - if (meth == NULL) { - return NID_undef; - } - return meth->pkey_id; + // In OpenSSL, this was used to map between type aliases. BoringSSL supports + // no type aliases, so this function is just the identity. + return nid; } EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine, const uint8_t *mac_key, @@ -471,16 +469,29 @@ int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, const uint8_t *in, size_t len) { SET_DIT_AUTO_RESET; - EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { - goto err; + // To avoid pulling in all key types, look for specifically the key types that + // support |set_priv_raw|. + const EVP_PKEY_ASN1_METHOD *method; + switch (type) { + case EVP_PKEY_X25519: + method = &x25519_asn1_meth; + break; + case EVP_PKEY_ED25519: + method = &ed25519_asn1_meth; + break; + case EVP_PKEY_HMAC: + method = &hmac_asn1_meth; + break; + default: + OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); + return 0; } - if (ret->ameth->set_priv_raw == NULL) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + EVP_PKEY *ret = EVP_PKEY_new(); + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); if (!ret->ameth->set_priv_raw(ret, in, len, NULL, 0)) { goto err; @@ -495,16 +506,26 @@ EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused, const uint8_t *in, size_t len) { - EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { - goto err; + // To avoid pulling in all key types, look for specifically the key types that + // support |set_pub_raw|. + const EVP_PKEY_ASN1_METHOD *method; + switch (type) { + case EVP_PKEY_X25519: + method = &x25519_asn1_meth; + break; + case EVP_PKEY_ED25519: + method = &ed25519_asn1_meth; + break; + default: + OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); + return 0; } - if (ret->ameth->set_pub_raw == NULL) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + EVP_PKEY *ret = EVP_PKEY_new(); + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); if (!ret->ameth->set_pub_raw(ret, in, len)) { goto err; diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c index 9372c5da5d..02ad388440 100644 --- a/crypto/fipsmodule/rsa/rsa.c +++ b/crypto/fipsmodule/rsa/rsa.c @@ -1319,8 +1319,10 @@ int RSA_check_key(const RSA *key) { // n was bound by |is_public_component_of_rsa_key_good|. This also implicitly // checks p and q are odd, which is a necessary condition for Montgomery // reduction. - if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 || - BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) { + if (BN_is_negative(key->p) || + constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) || + BN_is_negative(key->q) || + constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS); goto out; } @@ -1351,7 +1353,8 @@ int RSA_check_key(const RSA *key) { goto out; } - if (!BN_is_one(&tmp) || !BN_is_one(&de)) { + if (constant_time_declassify_int(!BN_is_one(&tmp)) || + constant_time_declassify_int(!BN_is_one(&de))) { OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); goto out; } diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c index 8db1acac93..4839bad482 100644 --- a/crypto/fipsmodule/rsa/rsa_impl.c +++ b/crypto/fipsmodule/rsa/rsa_impl.c @@ -945,20 +945,25 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, // retrying. That is, we reject a negligible fraction of primes that are // within the FIPS bound, but we will never accept a prime outside the // bound, ensuring the resulting RSA key is the right size. - if (BN_cmp(out, sqrt2) <= 0) { + // + // Values over the threshold are discarded, so it is safe to leak this + // comparison. + if (constant_time_declassify_int(BN_cmp(out, sqrt2) <= 0)) { continue; } // RSA key generation's bottleneck is discarding composites. If it fails // trial division, do not bother computing a GCD or performing Miller-Rabin. if (!bn_odd_number_is_obviously_composite(out)) { - // Check gcd(out-1, e) is one (steps 4.5 and 5.6). + // Check gcd(out-1, e) is one (steps 4.5 and 5.6). Leaking the final + // result of this comparison is safe because, if not relatively prime, the + // value will be discarded. int relatively_prime; - if (!BN_sub(tmp, out, BN_value_one()) || + if (!bn_usub_consttime(tmp, out, BN_value_one()) || !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) { goto err; } - if (relatively_prime) { + if (constant_time_declassify_int(relatively_prime)) { // Test |out| for primality (steps 4.5.1 and 5.6.1). int is_probable_prime; if (!BN_primality_test(&is_probable_prime, out, @@ -1116,8 +1121,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, } // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on - // values for d. - } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0); + // values for d. When we retry, p and q are discarded, so it is safe to leak + // this comparison. + } while (constant_time_declassify_int(BN_cmp(rsa->d, pow2_prime_bits) <= 0)); assert(BN_num_bits(pm1) == (unsigned)prime_bits); assert(BN_num_bits(qm1) == (unsigned)prime_bits); @@ -1131,6 +1137,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, } bn_set_minimal_width(rsa->n); + // |rsa->n| is computed from the private key, but is public. + bn_declassify(rsa->n); + // Sanity-check that |rsa->n| has the specified size. This is implied by // |generate_prime|'s bounds. if (BN_num_bits(rsa->n) != (unsigned)bits) { diff --git a/crypto/pkcs7/pkcs7_asn1.c b/crypto/pkcs7/pkcs7_asn1.c index d1bc0c0f74..4fb6881a67 100644 --- a/crypto/pkcs7/pkcs7_asn1.c +++ b/crypto/pkcs7/pkcs7_asn1.c @@ -186,3 +186,13 @@ ASN1_SEQUENCE(PKCS7_ENVELOPE) = { PKCS7_ENC_CONTENT)} ASN1_SEQUENCE_END(PKCS7_ENVELOPE) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE) + +int PKCS7_print_ctx(BIO *bio, PKCS7 *pkcs7, int indent, const ASN1_PCTX *pctx) { + GUARD_PTR(bio); + GUARD_PTR(pkcs7); + + if (BIO_printf(bio, "PKCS7 printing is not supported") <= 0) { + return 0; + } + return 1; +} diff --git a/crypto/pkcs7/pkcs7_test.cc b/crypto/pkcs7/pkcs7_test.cc index b24a59230b..b901f8e7db 100644 --- a/crypto/pkcs7/pkcs7_test.cc +++ b/crypto/pkcs7/pkcs7_test.cc @@ -2032,3 +2032,14 @@ TEST(PKCS7Test, TestSigned) { EXPECT_FALSE(PKCS7_verify(p7.get(), certs.get(), store.get(), bio_in.get(), bio_out.get(), /*flags*/ 0)); } + +TEST(PKCS7Test, PKCS7PrintNoop) { + bssl::UniquePtr bio(BIO_new(BIO_s_mem())); + bssl::UniquePtr p7(PKCS7_new()); + ASSERT_TRUE(PKCS7_print_ctx(bio.get(), p7.get(), 0, nullptr)); + + const uint8_t *contents; + size_t len; + ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len)); + EXPECT_EQ(Bytes(contents, len), Bytes("PKCS7 printing is not supported")); +} diff --git a/crypto/x509/rsa_pss.c b/crypto/x509/rsa_pss.c index 7b4680c573..f4da3756b6 100644 --- a/crypto/x509/rsa_pss.c +++ b/crypto/x509/rsa_pss.c @@ -127,7 +127,11 @@ static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) { if (*palg == NULL) { return 0; } - X509_ALGOR_set_md(*palg, md); + if (!X509_ALGOR_set_md(*palg, md)) { + X509_ALGOR_free(*palg); + *palg = NULL; + return 0; + } return 1; } diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index c589a06bce..9286f88122 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -3245,6 +3245,25 @@ TEST(X509Test, PrettyPrintIntegers) { } } +TEST(X509Test, X509AlgorSetMd) { + bssl::UniquePtr alg(X509_ALGOR_new()); + ASSERT_TRUE(alg); + EXPECT_TRUE(X509_ALGOR_set_md(alg.get(), EVP_sha256())); + const ASN1_OBJECT *obj; + const void *pval; + int ptype = 0; + X509_ALGOR_get0(&obj, &ptype, &pval, alg.get()); + EXPECT_TRUE(obj); + EXPECT_EQ(OBJ_obj2nid(obj), NID_sha256); + EXPECT_EQ(ptype, V_ASN1_NULL); // OpenSSL has V_ASN1_UNDEF + EXPECT_EQ(pval, nullptr); + EXPECT_TRUE(X509_ALGOR_set_md(alg.get(), EVP_md5())); + X509_ALGOR_get0(&obj, &ptype, &pval, alg.get()); + EXPECT_EQ(OBJ_obj2nid(obj), NID_md5); + EXPECT_EQ(ptype, V_ASN1_NULL); + EXPECT_EQ(pval, nullptr); +} + TEST(X509Test, X509NameSet) { bssl::UniquePtr name(X509_NAME_new()); ASSERT_TRUE(name); diff --git a/crypto/x509/x_algor.c b/crypto/x509/x_algor.c index 819aee5f35..bdc77ae969 100644 --- a/crypto/x509/x_algor.c +++ b/crypto/x509/x_algor.c @@ -123,7 +123,7 @@ void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, int *out_param_type, // Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD -void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { +int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { int param_type; if (EVP_MD_flags(md) & EVP_MD_FLAG_DIGALGID_ABSENT) { @@ -132,7 +132,7 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { param_type = V_ASN1_NULL; } - X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); + return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); } // X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise. diff --git a/include/openssl/bn.h b/include/openssl/bn.h index c41073d915..ad539dad20 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -394,41 +394,50 @@ OPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx); // BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a| // or |b|. It returns one on success and zero on allocation failure. +// The size of |a| and |b| are assumed to be public. OPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_uadd sets |r| = |a| + |b|, where |a| and |b| are non-negative and |r| may // be the same pointer as either |a| or |b|. It returns one on success and zero // on allocation failure. +// The size of |a| and |b| are assumed to be public. OPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_add_word adds |w| to |a|. It returns one on success and zero otherwise. +// The size of |a| and |w| are assumed to be public. OPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w); // BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a| // or |b|. It returns one on success and zero on allocation failure. +// The size of |a| and |b| are assumed to be public. OPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_usub sets |r| = |a| - |b|, where |a| and |b| are non-negative integers, // |b| < |a| and |r| may be the same pointer as either |a| or |b|. It returns // one on success and zero on allocation failure. +// The size of |a| and |b| are assumed to be public. OPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_sub_word subtracts |w| from |a|. It returns one on success and zero on // allocation failure. +// The size of |a| and |w| are assumed to be public. OPENSSL_EXPORT int BN_sub_word(BIGNUM *a, BN_ULONG w); // BN_mul sets |r| = |a| * |b|, where |r| may be the same pointer as |a| or // |b|. Returns one on success and zero otherwise. +// The size of |a| and |b| are assumed to be public. OPENSSL_EXPORT int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); // BN_mul_word sets |bn| = |bn| * |w|. It returns one on success or zero on // allocation failure. +// The size of |bn| and |w| are assumed to be public. OPENSSL_EXPORT int BN_mul_word(BIGNUM *bn, BN_ULONG w); // BN_sqr sets |r| = |a|^2 (i.e. squares), where |r| may be the same pointer as // |a|. Returns one on success and zero otherwise. This is more efficient than // BN_mul(r, a, a, ctx). +// The size of |a| is assumed to be public. OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); // BN_div divides |numerator| by |divisor| and places the result in |quotient| @@ -436,18 +445,21 @@ OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); // which case the respective value is not returned. The result is rounded // towards zero; thus if |numerator| is negative, the remainder will be zero or // negative. It returns one on success or zero on error. +// The size of arguments are assumed to be public. OPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, const BIGNUM *divisor, BN_CTX *ctx); // BN_div_word sets |numerator| = |numerator|/|divisor| and returns the // remainder or (BN_ULONG)-1 on error. +// The size of arguments are assumed to be public. OPENSSL_EXPORT BN_ULONG BN_div_word(BIGNUM *numerator, BN_ULONG divisor); // BN_sqrt sets |*out_sqrt| (which may be the same |BIGNUM| as |in|) to the // square root of |in|, using |ctx|. It returns one on success or zero on // error. Negative numbers and non-square numbers will result in an error with // appropriate errors on the error queue. +// the size of |in| is assumed public. OPENSSL_EXPORT int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx); diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 4910ee53fb..c3904f827a 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -75,6 +75,12 @@ extern "C" { // Allocation and destruction. +// +// A |DH| object represents a Diffie-Hellman key or group parameters. A given +// object may be used concurrently on multiple threads by non-mutating +// functions, provided no other thread is concurrently calling a mutating +// function. Unless otherwise documented, functions which take a |const| pointer +// are non-mutating and functions which take a non-|const| pointer are mutating. // DH_new returns a new, empty DH object or NULL on error. OPENSSL_EXPORT DH *DH_new(void); @@ -87,7 +93,8 @@ OPENSSL_EXPORT DH *DH_new_by_nid(int nid); // count drops to zero. OPENSSL_EXPORT void DH_free(DH *dh); -// DH_up_ref increments the reference count of |dh| and returns one. +// DH_up_ref increments the reference count of |dh| and returns one. It does not +// mutate |dh| for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DH_up_ref(DH *dh); @@ -223,6 +230,9 @@ OPENSSL_EXPORT int DH_generate_key(DH *dh); // Callers that expect a fixed-width secret should use this function over // |DH_compute_key|. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key, DH *dh); @@ -234,6 +244,9 @@ OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key, // // NOTE: this follows the usual BoringSSL return-value convention, but that's // different from |DH_compute_key| and |DH_compute_key_padded|. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, const BIGNUM *peers_key, @@ -336,6 +349,9 @@ OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp); // Callers that expect a fixed-width secret should use |DH_compute_key_padded| // instead. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key, DH *dh); diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index ae40eafc01..5733e06132 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -80,6 +80,12 @@ extern "C" { // Allocation and destruction. +// +// A |DSA| object represents a DSA key or group parameters. A given object may +// be used concurrently on multiple threads by non-mutating functions, provided +// no other thread is concurrently calling a mutating function. Unless otherwise +// documented, functions which take a |const| pointer are non-mutating and +// functions which take a non-|const| pointer are mutating. // DSA_new returns a new, empty DSA object or NULL on error. OPENSSL_EXPORT DSA *DSA_new(void); @@ -88,7 +94,8 @@ OPENSSL_EXPORT DSA *DSA_new(void); // reference count drops to zero. OPENSSL_EXPORT void DSA_free(DSA *dsa); -// DSA_up_ref increments the reference count of |dsa| and returns one. +// DSA_up_ref increments the reference count of |dsa| and returns one. It does +// not mutate |dsa| for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DSA_up_ref(DSA *dsa); // DSA_print prints a textual representation of |dsa| to |bio|. It returns one @@ -225,7 +232,7 @@ OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, // // TODO(fork): deprecate. OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len, - DSA_SIG *sig, const DSA *dsa); + const DSA_SIG *sig, const DSA *dsa); // DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig| // is a valid signature, by the public key in |dsa| of the hash in |digest| @@ -234,7 +241,7 @@ OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len, // It returns one if it was able to verify the signature as valid or invalid, // and zero on error. OPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest, - size_t digest_len, DSA_SIG *sig, + size_t digest_len, const DSA_SIG *sig, const DSA *dsa); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 437c5da77a..e09b68ffd7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -136,10 +136,6 @@ OPENSSL_EXPORT int EVP_PKEY_bits(const EVP_PKEY *pkey); // values. OPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey); -// EVP_PKEY_type returns |nid| if |nid| is a known key type and |NID_undef| -// otherwise. -OPENSSL_EXPORT int EVP_PKEY_type(int nid); - // EVP_MD_get0_name returns the short name of |md| OPENSSL_EXPORT const char *EVP_MD_get0_name(const EVP_MD *md); @@ -1262,6 +1258,9 @@ OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, // is NULL, it returns zero. OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); +// EVP_PKEY_type returns |nid|. +OPENSSL_EXPORT int EVP_PKEY_type(int nid); + // EVP_PKEY_new_mac_key is deprecated. It allocates a fresh |EVP_PKEY| of // |type|. Only |EVP_PKEY_HMAC| is supported. |mac_key| is used as the HMAC key, // NULL |mac_key| will result in a complete zero-key being used, but in that diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h index b53ebe68e2..bb930566e9 100644 --- a/include/openssl/pkcs7.h +++ b/include/openssl/pkcs7.h @@ -523,6 +523,11 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont); OPENSSL_EXPORT OPENSSL_DEPRECATED int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags); +// PKCS7_print_ctx prints "PKCS7 printing is not supported" and returns 1. +OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_print_ctx(BIO *bio, PKCS7 *pkcs7, + int indent, + const ASN1_PCTX *pctx); + #if defined(__cplusplus) } // extern C diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 5b59d7d835..d757d8493c 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2305,8 +2305,18 @@ OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this // AlgorithmIdentifier represents the hash function itself, not a signature -// algorithm that uses |md|. -OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); +// algorithm that uses |md|. It returns one on success and zero on error. +// +// Due to historical specification mistakes (see Section 2.1 of RFC 4055), the +// parameters field is sometimes omitted and sometimes a NULL value. When used +// in RSASSA-PSS and RSAES-OAEP, it should be a NULL value. In other contexts, +// the parameters should be omitted. This function assumes the caller is +// constructing a RSASSA-PSS or RSAES-OAEP AlgorithmIdentifier and includes a +// NULL parameter. This differs from OpenSSL's behavior. +// +// TODO(davidben): Rename this function, or perhaps just add a bespoke API for +// constructing PSS and move on. +OPENSSL_EXPORT int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value // otherwise. Note this function can only be used for equality checks, not an diff --git a/tests/ci/run_posix_sanitizers.sh b/tests/ci/run_posix_sanitizers.sh index 6cf36396aa..4a16f9fd6c 100755 --- a/tests/ci/run_posix_sanitizers.sh +++ b/tests/ci/run_posix_sanitizers.sh @@ -7,7 +7,7 @@ set -exo pipefail source tests/ci/common_posix_setup.sh build_type=Release -cflags=("-DCMAKE_BUILD_TYPE=${build_type}") +cflags=("-DCMAKE_BUILD_TYPE=${build_type}" "-DENABLE_DILITHIUM=ON") if [ $(uname -p) == "aarch64" ]; then # BoringSSL provides two sets tests: the C/C++ tests and the blackbox tests. # Details: https://github.com/google/boringssl/blob/master/BUILDING.md @@ -47,4 +47,4 @@ if [ $(uname -p) == "x86_64" ]; then else echo "Testing AWS-LC in ${build_type} mode with thread sanitizer." build_and_test -DTSAN=1 -DUSE_CUSTOM_LIBCXX=1 "${cflags[@]}" -fi +fi \ No newline at end of file diff --git a/tests/ci/run_posix_tests.sh b/tests/ci/run_posix_tests.sh index 1c76bc54df..31a308fe94 100755 --- a/tests/ci/run_posix_tests.sh +++ b/tests/ci/run_posix_tests.sh @@ -7,36 +7,36 @@ set -exo pipefail source tests/ci/common_posix_setup.sh echo "Testing AWS-LC in debug mode." -build_and_test +build_and_test -DENABLE_DILITHIUM=ON echo "Testing AWS-LC in release mode." -build_and_test -DCMAKE_BUILD_TYPE=Release +build_and_test -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON -echo "Testing AWS-LC with Dilithium3 enabled." -build_and_test -DENABLE_DILITHIUM=ON +echo "Testing AWS-LC with Dilithium3 disabled." +build_and_test -DENABLE_DILITHIUM=OFF echo "Testing AWS-LC small compilation." -build_and_test -DOPENSSL_SMALL=1 -DCMAKE_BUILD_TYPE=Release +build_and_test -DOPENSSL_SMALL=1 -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON echo "Testing AWS-LC with libssl off." -build_and_test -DBUILD_LIBSSL=OFF -DCMAKE_BUILD_TYPE=Release +build_and_test -DBUILD_LIBSSL=OFF -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON echo "Testing AWS-LC in no asm mode." -build_and_test -DOPENSSL_NO_ASM=1 -DCMAKE_BUILD_TYPE=Release +build_and_test -DOPENSSL_NO_ASM=1 -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON echo "Testing building shared lib." -build_and_test -DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release +build_and_test -DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON echo "Testing with a SysGenId." TEST_SYSGENID_PATH=$(mktemp) dd if=/dev/zero of="${TEST_SYSGENID_PATH}" bs=1 count=4096 -build_and_test -DTEST_SYSGENID_PATH="${TEST_SYSGENID_PATH}" +build_and_test -DTEST_SYSGENID_PATH="${TEST_SYSGENID_PATH}" -DENABLE_DILITHIUM=ON echo "Testing with pre-generated assembly code." -build_and_test -DDISABLE_PERL=ON +build_and_test -DDISABLE_PERL=ON -DENABLE_DILITHIUM=ON echo "Testing building with AArch64 Data-Independent Timing (DIT) on." -build_and_test -DENABLE_DATA_INDEPENDENT_TIMING=ON -DCMAKE_BUILD_TYPE=Release +build_and_test -DENABLE_DATA_INDEPENDENT_TIMING=ON -DCMAKE_BUILD_TYPE=Release -DENABLE_DILITHIUM=ON if [[ "${AWSLC_C99_TEST}" == "1" ]]; then echo "Testing the C99 compatability of AWS-LC headers." @@ -54,10 +54,10 @@ build_options_to_test=("" "-DBUILD_SHARED_LIBS=1" "-DCMAKE_BUILD_TYPE=Release" " ## Build option: MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX for build_option in "${build_options_to_test[@]}"; do - run_build ${build_option} -DMY_ASSEMBLER_IS_TOO_OLD_FOR_AVX=ON + run_build ${build_option} -DMY_ASSEMBLER_IS_TOO_OLD_FOR_AVX=ON -DENABLE_DILITHIUM=ON done ## Build option: MY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX for build_option in "${build_options_to_test[@]}"; do - run_build ${build_option} -DMY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX=ON -done + run_build ${build_option} -DMY_ASSEMBLER_IS_TOO_OLD_FOR_512AVX=ON -DENABLE_DILITHIUM=ON +done \ No newline at end of file diff --git a/util/all_tests.go b/util/all_tests.go index 39c744f960..9f9359fc5e 100644 --- a/util/all_tests.go +++ b/util/all_tests.go @@ -483,5 +483,5 @@ func main() { os.Exit(1) } - fmt.Printf("\nAll tests passed!\n") + fmt.Printf("All unit tests passed!\n") } diff --git a/util/read_symbols.go b/util/read_symbols.go index 58bc16b282..211e0d3776 100644 --- a/util/read_symbols.go +++ b/util/read_symbols.go @@ -142,7 +142,7 @@ func main() { break } } - if skip || isCXXSymbol(s) || strings.HasPrefix(s, "__real@") || strings.HasPrefix(s, "__x86.get_pc_thunk.") { + if skip || isCXXSymbol(s) || strings.HasPrefix(s, "__real@") || strings.HasPrefix(s, "__x86.get_pc_thunk.") || strings.HasPrefix(s, "DW.") { continue } if _, err := fmt.Fprintln(out, s); err != nil {